Problem
The code that calls string_interpret_escape() allocates a buffer for the string based on its actual size, and the set pointer ends up in an area outside the buffer's bounds. Accordingly, when trying to process an input string, a situation occurs when data is read from an area outside the boundaries of the allocated buffer, and an attempt to write an unscreened string can lead to writing outside the buffer.
In the default configuration, the vulnerability can be exploited by passing specially crafted data to SNI when establishing a secure connection to the server. The problem can also be exploited by modifying peerdn values ββin configurations configured for client certificate authentication, or when importing certificates. Attack via SNI and peerdn possible from release
An exploit prototype has been prepared for the attack via SNI, which works on the i386 and amd64 architectures on Linux systems with Glibc. The exploit uses data overlay on the heap area, resulting in overwriting the memory that stores the name of the log file. The filename is replaced with "/../../../../../../../../etc/passwd". Next, the variable with the sender's address, which is first saved to the log, is overwritten, which allows you to add a new user to the system.
Vulnerability package updates released by distributions
As a workaround to block the vulnerability, you can disable TLS support or add to
ACL section "acl_smtp_mail":
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni))))
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn))))
Source: opennet.ru